According to a plea agreement, the Federal Bureau of Investigation hacked a dark web user who tried to purchase a mail bomb from an undercover investigator in the United States.
The plea agreement, filed on April 28, 2017, states that Clinton Scott Bass of Georgia in the SE United States, was using two different pseudo names, contacted an undercover police officer on a darknet marketplace channel to purchase a car bomb. However, later on, the defendant changed his mind and decided to acquire a mail bomb. The undercover officer agreed to sell the explosive to the suspect, who paid $550 in digital currency (most probably in Bitcoin or Monero) to the vendor, who sent an inert device to Bass’ address. Law enforcement authorities followed the man, which police believed was his true residence. Investigators were able to determine that the suspect delivered the fake bomb to his target in Hahira, Georgia on the morning of April 27. The Federal Bureau of Investigation arrested the defendant later that day.
Before his arrest, Bass sent the undercover officer his email address at the temporary mail provider Guerilla Mail, so the defendant could receive instructions from the vendor on how to activate the bomb, a search warrant detailed. The FBI sent a phishing email to that specific address in an attempt to acquire information, such as the IP address, from the defendant, which the Bureau could use for the investigation. The agency sent Bass an attached document in the mail, which, once opened, would send data to the FBI’s server. According to a separate document, law enforcement authorities also an installed a pen-trap-tool to record all the data coming from the hack.
However, it is unclear whether the hacking attempt – known as Network Investigative Technique (NIT) – was successful. An executed warrant document showed that law enforcement authorities were able to retrieve 19 different IP addresses in the case, however, no document indicated that useful evidence was recovered by the hacking attempts. A reason for the high number of IP addresses could be that the defendant either shared his Guerilla Mail account or used a VPN service, in addition to Tor, to mask his true IP address.
“The way I see it is, the FBI has to do something to catch criminals, and at least in this case they didn’t resort to draconian methods such as mass surveillance without a warrant,” Flashmob, the administrator of Guerilla Mail, told the media.
“Instead, they used a simple procedure with a warrant that doesn’t need much technical ability,” he said.
Electronic Frontier Foundation (EFF) security researcher Cooper Quintin also said that there was no problem with the FBI’s phishing in the current case.
Last year, the government authorized Rule 41, which allows searches on users of anonymizing services, such as Tor. There are only a handful of cases where law enforcement authorities used warrants in such instances. In the current case, the FBI legally used the phishing technique to arrest Bass.
Many say there were no problems with phishing, however, there was some concern regarding “Stingray”, a cell site simulator”, which the FBI also used to catch Bass. The tool pretends to be a cell tower but forces mobile devices to connect to it. Once a target number connects, law enforcement authorities can determine the location and other technical information associated with the number. However, in such cases, there is a risk that investigators may intercept devices belonging to innocent citizens.
When the FBI tracked Bass, they were able to search for a number they believed the defendant used. Law enforcement authorities acquired the number in a previous arrest in February on charges of aggravated assault and home invasion. When the police questioned Bass’ girlfriend, she confirmed that the number was the defendant’s. The warrant allowed federal agents to use Stingray to acquire Bass’ location.
Thanks to the FBI’s hacking tools, Bass pleaded guilty in later April to charges of attempting to receive and transport explosive materials with the intent to kill, injure or intimidate. The prosecution is planning to recommend a sentence of 120 months in prison for the defendant. His trial will be held on July 12.
Leroy Terrelonge, a director of research for cyber intelligence company Flashpoint, said that, most probably, Bass used AlphaBay, currently the biggest marketplace on the dark web, to acquire the (fake) mail bomb from the undercover police officer. The researcher added that he believes that most of the vendors selling WMDs (Weapons of Mass Destruction) are either scammers or undercover police officers running honeypot operations.